Alex Balcanquall Senior Product Planner Microsoft SVR310 Agenda VDI Levelset VDI vs Sessions? RDS Roles used to enable VDI scenarios Setup steps & considerations Putting it all together Tips.
Download ReportTranscript Alex Balcanquall Senior Product Planner Microsoft SVR310 Agenda VDI Levelset VDI vs Sessions? RDS Roles used to enable VDI scenarios Setup steps & considerations Putting it all together Tips.
Alex Balcanquall Senior Product Planner Microsoft SVR310 Agenda VDI Levelset VDI vs Sessions? RDS Roles used to enable VDI scenarios Setup steps & considerations Putting it all together Tips & Tricks 3rd Party Value & the MS VDI stack Licensing +VECD Partner Solutions R2 Microsoft: typically departmental / simple scenarios Partners: typically enterprise wide / complex scenarios Sessions Virtualization VS Centralized Desktop Virtualization HyperVisor Client OS 1 Server OS Client OS OS n Client Centralized Desktops: RDS vs. VDI RDS (Session-Based) VDI (VM-Based) Technology Maturity Proven Emerging Scalability Higher ratio of users/server Lower ratio users/server Isolation/Security Session-based isolation Shared OS across users Must run as standard user VM-based isolation Dedicated OS per user Can run as admin Remote User Experience Protocol-dependent Protocol-dependent User Flexibility User is running as a user User can have full rights Application Compatibility Windows Server OS Windows Client desktop RDS Roles Explained RD Session Host RD Virtualization Host • Provides Multi-Session Virtualization (f.k.a terminal server) • Sessions for both remote desktops & RemoteApp • Orchestrates Hyper-V hosted client VMs • Enables VDI Scenarios • Connection broker drives RD Virtualization Requests RD Connection Broker • Combines Session Directory, Publishing & Connection Broker in single service • Aggregates RemoteApp hosts, Personal VDI VMs & Shared VDI VM • Redirects user to right resource at right time, informs RD Virtualization Host RD Web Access • Provides publishing not connectivity. • Two modes points at either multiple RemoteApp hosts OR connection broker • Aggregates multiple RemoteApp hosts in either mode mode RD Gateway • Provides HTTPS based access • Enables accessing corporate resources from internet • Can provide endpoint & redirection based security service RD Virtualization Host Responsible for Orchestrating VDI VMs Startup Shutdown Freeze/Unfreeze Rollback Install Remote Desktop Virtualization Host Role service (Installs the Vmhostagent Service (tsvmhasvc.dll) Receives command from Connection broker to start VMs Collects Information on VMs and sends to Connection Broker (Session information and VM-state (i.e. is it running or hibernated) 3. Broker tells RDVH to spin up VM RD Virtualization Host 4. RDVH Sets VM as ready 2. Broker determines right VM 1. User requests VM RD Connection Broker & Publishing Remote Desktop Client 5. RDCB redirect client RD Connection Broker Multiple Capabilities Connection Broker Publishing Service Redirector Connection broker & redirector can be separate RD Virtualization Host RD Session Host 1. Broker Retrieves Resources 2. RD Web Access Retrieves Feed RD Connection Broker & Publishing RD Web Access 2. Win7 Clients Retrieve Feed RemoteApp & Desktop Connection (win7) 3. User Clicks Resource Icon to Launch Remote Desktop Connection client (mstsc.exe) RD Connection Broker Multiple Capabilities Connection Broker Publishing Service Redirector Connection broker & redirector can be separate RD Virtualization Host RD Session Host 5. Client connects directly to resource 4. Broker Returns Resource RD Connection Broker & Publishing RD Web Access RemoteApp & Desktop Connection (win7) 4. Connection Initiated to Broker Connection Broker Role Service Installs 2 services Connection Broker : tssdis Centralized Publishing (Officially RemoteApp and Desktop Management Service) : tscpubrpc Connection broker Processes all RDS and RDV connections Stores all session information without this, users can’t get back to disconnected sessions. Calls into Centralized Publishing to connect to your personal VM Centralized Publishing Service Aggregates RemoteApp programs from RD servers Maintains list of VM Pools and queries AD for the Personal VM assignments RD web access calls into this service to get the list of RemoteApps and Desktops for the user. Looks up the users assigned personal VM for Connection broker. By default listens on Port 5504 Redirector component Redirector is a Session Host in ‘drain / dedicated redirector mode’ Forwards the RDP client connection request to the connection broker and returns the list of IP addresses received from the broker. Only 1 redirector is needed for both Personal virtual desktops and VM pools. Users never ‘TS’ into the redirector, but they do need to be in the ‘Remote Desktop Users’ security group. Drain mode mean users on this server or users will not be able to connect as desktop or RemoteApp For administrative access, start mstsc with the /admin switch to connect. Setup 0 – importance of SSL certificates 1 – Preparing Hyper-V & RD Virtualization Host 2 – Preparing Client OS Vms 3 – Configuring Redirector & Broker 4 – Configuring Web Access 5 – Setup Pools Step 0 – Importance of Certificates RDP signing enables many cool features Single sign-on (for Web Accessed RemoteApp) Trusted behaviors RemoteApp & Desktop Connections Etc Make sure you have an SSL certificate you can use Cert used by RD Web Access or Trusted root cert for enterprise / know 3rd party authority Deploy cert to all client machines Not needed if cert issues from known 3rd party authority Deploy with GP for managed clients Will need to be manually installed on a non-trusted clients Step 1 – Preparing Hyper-V / Virtualization Host Install Hyper-V role Install Remote Desktop Virtualization Host sub role Sizing your Hyper-V Server? Q. How many VDI VMs can I get on my Hyper-V server A. It depends (just like sessions)! Depends on applications Depends on data used Depends on demand cycle of user Depends on OS – use Windows 7 Test, Test, Test – with *real* users Step 2 - Preparing Client OS VMs Support XP SP3, Vista and Windows 7 clients If using XP SP3 or Vista, in the Hyper-V management tool install Hyper-V enlightment (Integration Services) This is the most commonly misconfigured part of the VDI solution and involves 5 manual steps. VM Guest Configuration Enable Remote Desktop Services (Group Policy) Add user groups to Remote Desktop Users Group Enable Remote RPC (Group Policy) Or set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\AllowRemoteRPC from 0 to 1. Allow Remote Service Management through firewall (Group Policy) Modify RDP Permissions (manual or script) Add the VM Host machine account to the RDP Listener permissions. This must be done by a VB script or a PowerShell script as the UI is not available on client SKUs The RDVH Server computer account needs the WINSTATION_QUERY, WINSTATION_LOGOFF, and WINSTATION_DISCONNECT permissions on each virtual machine in the virtual desktop pool Can only be done after domain join Modify RDP-TCP Perms - WMIc ·wmic /node:localhost RDPERMISSIONS where TerminalName="RDP-Tcp" CALL AddAccount “<domain>\<rdvh_server>$",1 ·wmic /node:localhost RDACCOUNT where "(TerminalName='RDP-Tcp' or TerminalName='Console') and AccountName='<domain>\\<rdvh_server>$'" CALL ModifyPermissions 0,1 ·wmic /node:localhost RDACCOUNT where "(TerminalName='RDP-Tcp' or TerminalName='Console') and AccountName='<domain>\\<rdvh_server>$'" CALL ModifyPermissions 2,1 ·wmic /node:localhost RDACCOUNT where "(TerminalName='RDP-Tcp' or TerminalName='Console') and AccountName='<domain>\\<rdvh_server>$'" CALL ModifyPermissions 9,1 ·Net stop termservice ·Net start termservice Combined automatic XP / Vista / win7 script available at: http://gallery.technet.microsoft.com/ScriptCenter/en-us/bd2e02d0-efe7-4f89-84e5-7ad70f9a7bf0 Configuring Client – Use GPs where possible 21 Step 3 - Configure Connection Broker & Redirector Untangling the broker & redirector Connection Broker is RD Server Role Responsible for Redirector is RD Session Host configured as a dedicated redirector. add RDWA Server(s) to the TS Web Access Computers group on the connection broker Redirector Configuration Installed by Installing Remote Desktop Services Role This puts the RDSH in drain mode so RemoteApp programs should not be setup on this server or users will not be able to connect. The only manual configuration is to add the authorized users to the “Remote Desktop Users” security group. On the redirector to manually configure the role: Open Remote Desktop Session Host Configuration snapin Set the Server purpose to Virtual machine redirection Redirector & Pool Setup 24 Step 4 - Configuring Web Access Two modes of operation Must use Connection Broker mode Step 5 - Configuring Web Access RD Connection Broker & Publishing RD Session Host(s) Two modes of operation Point mode Good for session based RemoteApp & Desktops OR 1. Web Access Retrieves Resource List Centralized Publishing Mode Single view of both VDI and session based resources Must use Centralized Publishing Mode for VDI. NOTE: RD Web Access DOES NOT provide connectivity RD Gateway RD Web Access 2. RDC Launched on click 2. User sees list of applicable resources in IE 4. RDC initiates connection via Gateway RD Web Access in Publishing Mode 27 Step 5: Personal or Pooled Virtual Desktops? Personal Virtual Desktops One OS image per user Administrator access, desktop customizable User state typically part of the image Personal Virtual Desktops Pooled Virtual Desktops Shared OS images, identically configured No administrator access User state temporary (discarded at session end) Pooled Virtual Desktops Configure Pools Discovery Architecture 1. Request available Resource Active Directory DMZ B RDSH 4 3 2 RD Web Access 1 7 C 2. Query for resources. Sends the User Sid for filtering. See A. 3. Aggregate resource from multiple RDSH servers and stamp with workspace. See B. 4. VM per user assignment queried 5. If a VM is assigned, retrieve RDP file. 5 6. Query Virtual Desktop Pools 6 7. RemoteApps are filtered based on the Security RD Connection Descriptor set on the Broker RDSH. See C. A. RDWA machine account must be in the “TS Web Access Computers” Security group A B. RDCB machine account must have remote DCOM and WMI (TerminalServices) namespace privileges. By default “TS Web Access Computers” has this access. C. RemoteApp user filtering requires RDCB to be in the “Windows Authorization Access Group” domain security group or the domain to be in Pre-Windows 2000 Compatibility mode. Connection Sequence 1 2 3 6 B 5 RD Connection Broker 3 4 2 C RDV Host 4 VMs 5 RD Redirector A 7 1 A B C 6 7 Tips and Tricks: Common Issues Common Issues RD Web Access machine account not in the TS Web Access Computers security group DCOM and WMI security groups no longer have TS Web Access Computers security group listed with Remote Access TCP port 5504 not open in the firewall WMI Port not open Server can’t connect to AD (Not in a domain, no network access or trust relationship issue) Tips & Tricks: Connection Broker If clustering Connection broker. The VM Host and Connection broker can’t be installed on the same machine. For Thin Client support, check “Enable redirection for earlier RDC versions” and add the IP address of the redirector. Top 2 issues seen in deployments Configuration of Guest VM was incorrect. A symptom of this is the user sees a message about “Waking Machine” for a long time. Users complaining they couldn’t connect to a personal domain desktop, but no desktop was assigned. Troubleshooting? – Script Center! Configure Guest OS for use with RDV Verify Redirection Configuration Verify virtual machine configuration for RDV Create deployment usage reports Verify RD Web Access configuration Verify RDV deployment configuration Verify RD connection broker configuration VDI & RDSH : monitor sessions Query Virtual Machine assignment Assign virtual machines to users or pools Verify connection broker cluster config Manage RD connection broker cluster Update RD connection broker cluster configuration Created RD redirection server clusters Add RD Virtualization Host servers to connection broker cluster http://gallery.technet.microsoft.com/ScriptCenter/enus/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=remotedesktopservices&f%5B0%5D.Text=Remote%20Desktop%20Services&f%5B1%5D.Ty pe=SubCategory&f%5B1%5D.Value=remotevirtualization&f%5B1%5D.Text=Remote%20Desktop%20Virtualization&pageIndex=1 rd MS or 3 Party Broker? Low-Complexity Environment Enterprise-ready Environment Microsoft VDI with Remote Desktop Connection Broker Microsoft VDI with 3rd Party Connection Broker Single site/location Multiple sites/locations Static image placement Dynamic image placement Single virtual desktop pool Multiple virtual desktop pools Single, non-clustered broker Multiple brokers in failover configuration LAN-only connectivity USB support limited to PnP devices LAN & WAN connectivity Generic USB support Compared to VMWare Microsoft + Citrix Cost Management User Experience Maturity of Offerings 36 VMWare • Costs 33% less than the VMware solution. • Familiar interfaces and technology reduce on boarding costs. • higher upfront costs • need additional training System Center can manage: • Physical, virtual and session based desktops •Non-Microsoft infrastructure, such as CITRIX and VMWare VirtualCenter can manage: •Virtual desktops only •Only VMware infrastructure • Superior performance over both LAN and WAN • Excellent performance over LAN. •Multiple offerings to optimize clients, including desktop, MDOP and virtualization technology •Most proven desktop company in the industry •Virtualization-only offerings •Mature server virtualization offering, with limited desktop focus * based on publicly available information as of 12/05/2008 Introducing the new Microsoft VDI Suites The Microsoft VDI Suites were developed to simplify licensing of VDI Infrastructure $21/device/year $21/device/year $53/device/year $53/device/year Still Need to Purchase Virtual Enterprise Centralized Desktop VECD to host Windows Client OS in VDI scenarios Summary: Centralized Desktop Options Session Virtualization (fka TS) Personal Virtual Desktop • Low cost image management • High cost image management • Easiest admin management • Administrator access (user can • Least resources required • Good compatibility for legacy apps install programs) • High Resource cost • Better Compatibility for legacy apps Mix & match your options - based on end user needs Pooled Virtual Desktop • Medium cost image management. • Easier admin management than Personal VM Desktops • Less Resources than personal • Better compatibility for legacy apps Resources Remote Desktop Services Home Page http://www.microsoft.com/windowsserver2008/en/us/rds-producthome.aspx Remote Desktop Services Blog http://blogs.msdn.com/rds/ Desktop Virtualization and VDI http://www.microsoft.com/windows/enterprise/technologies/virtualizat ion.aspx Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers Related Content Breakout Sessions SVR206 Why Is Terminal Services called Remote Desktop Services? SVR310 Using the Microsoft Connection Broker to Provide VDI, Session, and Application Centralised Publishing Interactive Theater Sessions SVR05-IS Remote Desktop Services: Infrastructure Design for Sessions or VDI Hands-on Labs (session codes and titles) Web Links Remote Desktop Services Home Page http://www.microsoft.com/windowsserver2008/en/us/rds-product-home.aspx Remote Desktop Services Blog http://blogs.msdn.com/rds/ Desktop Virtualization and VDI http://www.microsoft.com/windows/enterprise/technologies/virtualization.aspx Complete an evaluation on CommNet and enter to win an Xbox 360 Elite! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Extensibility Architecture RD Web Access RD Connection Broker RDP Connection File Admin RD Connection Manager (MMC Tool) Webfeed Web Access Web UI RDC 7 Client Personal Desktop Plug-in Centralized Publishing Service Assignments abstraction layer 3rd Party Connection File (MIME) RADC Client Runtime 3rd Party Client AD Query RDP Client WS08 Terminal Server RemoteApp Plugin VM Pool Plug-in VM Pool Configuration 3rd Party Assignment Provider 3rd Party Assgnment & Config Store Connection Brokering Service List of App Tokens Win7 Desktop Shell Assignment Policy RADC Shell Integration Start Menu Placement Control Panel View 3rd Party Filter Plugin RADC Feed Client Cache & Config 3rd Party Feed Client 3rdParty Resource Plugin Session Resource Plugin VM Resource Plugin WS08 R2 RD Session Host Filtering Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!